Dialing For Dollars: Credit-Card Smartphones Pose New Risks

Below:

Next story in Security

The possibility of having a cell phone hacked doesn't create much
anxiety, if all that's compromised are your Facebook friends and
some salacious photos and inappropriate text messages.

Yet if that same phone were also a digital wallet and an
electronic
credit card, you could be out a whole lot of money. Experts
worry that that’s what we’re heading for as the next generation
of
handsets enables you to pay by phone.

"The technology is new, so it's not entirely clear what the
security ramifications will be," says Kevin Mahaffey, co-founder
and chief technology officer of San Francisco-based Lookout
Mobile Security. "But there are real businesses being built out
there designed to attack software like this. It's not kids in
their garages."

Are smartphones smart enough to be credit cards, and perhaps even
more?

Smartphones are already commonly used to manage some financial
tasks, such as
online banking. But companies such as Google, Apple, Samsung
and Nokia aim to cut out credit cards and cash entirely by making
phones that can handle in-store purchases.

Such “wallet” phones are common in parts of Asia. Security
analysts believe their arrival in the U.S. market, expected in
the next few years, could open up new avenues for fraud.

Right now, there are two leading ways a phone can interact with a
cash register.

In January, Starbucks launched the Starbucks Card Mobile App,
which lets U.S. customers pay for coffee and other in-store items
with iPhones or BlackBerry smartphones. The app generates a
barcode that can be read by a cash register’s scanner. Funds are
deducted straight from a Starbucks account, replenished via
credit card or PayPal.

The dominant pay-by-phone technology, however, is likely to be
near-field communication (NFC). A special chip built into the
phone uses short-range wireless signals to send credit or debit
card information directly to compatible check-out terminals or,
in one trial program, hotel guest-room locks.

Google’s Nexus S phone, on the market since December, is one of
the first NFC-enabled phones to be widely available in the U.S.
Nokia has pledged to make all its upcoming phones compatible with
forthcoming NFC standards.

The biggest breakthrough for NFC may come later this year.
Apple’s next-generation iPhone 5 will have an NFC chip built in,
according to rumors.

Mahaffey points out that the extra chip required for NFC – on top
of the cellular, Wi-Fi, Bluetooth and GPS chips -- adds a layer
that could offer opportunities for hackers.

Security researchers have already demonstrated how a version of
the Jailbreakme.com exploit for iPhones can be used to secretly
install a rootkit and then tap into debit- and credit-card
transactions. There are also some rare cases of user data being
stolen via unauthorized apps.

To attack NFC transactions, however, hackers will have to use
more sophisticated techniques. Mahaffey believes that once
serious amounts of money begin to flow through these
transactions, it will attract the attention of organized
cyberthieves.

There's the so-called “man-in-the-middle” attack, Mahaffey
explains. In such a case, someone with an NFC reader would stand
near the victim during a transaction and simply relay
communications back and forth to the targeted terminal.

Some forms of authentication protocols can prevent such an
attack, but it raises new security issues.

"The NFC part has to worry about smartphone issues, and
smartphones have to now worry about NFC issues," Mahaffey said.

As phones become ever-more complex hand-held computers, that
means increased opportunities for vulnerabilities and security
holes.

Furthermore, whereas in a corporate or enterprise environment an
IT department can push out software updates, it can be difficult
to patch problems on millions of individually registered consumer
phones.

On the other hand, when credit card fraud occurs now, the victim
has to report the breach, and then wait several days until a new
card arrives.

In the future, eliminating the threat may be as easy as updating
a phone's software.